YsummarY, use Tab ↹, Return/Enter and go back (⌘ + ←) to navigate.

some of the worst API security i've EVER seen

YouTube Video

This YouTube video details a security researcher’s findings on vulnerabilities within the McDonald’s India MCD delivery app. Key points include:

Vulnerabilities Discovered:

  • Broken Object Level Authorization (BOLA): The researcher could access details of any order using easily guessable or sequentially incrementable order IDs, regardless of user ID. This allowed access to order status, location, and even the ability to leave feedback on other users’ orders.

  • Lack of Authentication: The app used JWT (JSON Web Tokens) for API authentication, but the backend failed to properly verify token validity against the order being accessed. This compounded the BOLA issue.

  • Mass Assignment Vulnerability: The researcher could modify order details, including the price, through API calls. This allowed ordering a large number of items (e.g., 100 hash browns) for a single cent (one rupee).

  • Unsecured Admin Panel: While the main app had flaws, the admin panel was also vulnerable, allowing access to KPI reports using consumer JWT tokens.

  • Hidden API Endpoints: The researcher found a hidden user creation API and a hidden login endpoint bypassing the standard verification process. This allowed account creation without verification.

  • Order Hijacking (Time-of-Check, Time-of-Use): The researcher demonstrated the ability to change the delivery address of an order in progress to their own, provided the timing was right. This requires knowing the order ID and acting quickly before the order is finalized.

Impact:

  • Access to sensitive user and driver information (names, phone numbers, email addresses, license plate numbers, etc.)
  • Ability to order large quantities of food for a negligible cost.
  • Potential to redirect deliveries to different addresses.

Positive Outcomes:

  • The researcher responsibly reported the vulnerabilities to McDonald’s India.
  • McDonald’s India responded positively, fixing all issues and awarding a bounty.
  • The incident highlights the importance of robust security practices and bug bounty programs.

Overall: The video showcases significant vulnerabilities in the McDonald’s India delivery app due to a combination of insecure API design and implementation flaws. The researcher’s ethical disclosure and McDonald’s positive response illustrate a best-case scenario in responsible vulnerability disclosure. The vulnerabilities themselves, however, are quite severe and highlight the potential for significant data breaches and financial losses if left unaddressed.

Next: An Easy, At Home Test to Find Plaque in your Arteries
Prev: Google Pixel 4a gets update of death, Mr Clinton gets pill of life. long live Clinton cat 16 yrs old